Mexico Issues Data Security Guidelines
Time 2 Minute Read
Categories: Enforcement, Information Security, International

As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

The guidelines advise companies to develop a security management system that includes the following four key steps:

  1. Planning – identifying key security objectives, examining data flows within the organization and conducting a risk analysis;
  2. Doing – implementing the necessary policies, procedures and plans that help to achieve the organization’s data security objectives;
  3. Checking – auditing and evaluating whether the policies, procedures and plans are achieving those objectives; and
  4. Acting – taking corrective action and other remediation measures to continually improve data security, including training relevant personnel.

Mexico’s Data Protection Secretary Alfonso Oñate-Laborde commented on the guidelines, noting that an increasing number of Mexican companies are taking affirmative steps to improve their data security. He also stated that the IFAI will focus on enforcement and conduct data security audits of companies to determine compliance with the guidelines.

Tags: Cross-Border Data Flow, Mexico
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
Council of the European Union Adopts New Rules to Boost Cross-Border GDPR Enforcement

On November 17, 2025, the Council of the European Union adopted new rules designed to strengthen cooperation among national data protection authorities, enhancing the enforcement of the EU General Data Protection Regulation.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Plaintiffs Allege Violation of Bulk Data Transfer Rule in Class Actions

On September 2, 2025, two class actions were filed in federal district court alleging that defendants digital advertising platforms Xandr, Inc. and Index Exchange, Inc. violated the Electronic Communications Privacy Act by unlawfully intercepting wire communications for the purpose of violating the Department of Justice’s Bulk Data Transfer Rule.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
EU’s General Court Confirms Adequacy of EU-U.S. Data Privacy Framework

On September 3, 2025, the EU’s General Court issued its judgment in the Latombe v. Commission case. The applicant, a member of the French National Assembly, sought the annulment of the adequacy decision adopted by the European Commission with respect to the EU-U.S. Data Privacy Framework.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
EDPB Finalizes Guidelines on Data Transfers to Third Country Authorities and Training Materials on AI and Data Protection

On June 4, 2025, the European Data Protection Board published the final version of Guidelines 02/2024 on Article 48 of the GDPR regarding data transfers to third country authorities. In addition, during its June plenary meeting, the EDPB presented two new Support Pool of Experts projects to provide training materials on AI and data protection.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page